適用於計算的 Azure 內建角色
本文列出計算類別中的 Azure 內建角色。
Azure Arc VMware VM 參與者
Arc VMware VM 參與者具有執行所有 VM 動作的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.ConnectedVMwarevSphere/virtualmachines/* | |
| Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/* | |
| Microsoft.Insights/AlertRules/Write | 建立或更新傳統計量警示 |
| Microsoft.Insights/AlertRules/Delete | 刪除傳統計量警示 |
| Microsoft.Insights/AlertRules/Read | 讀取傳統計量警示 |
| Microsoft.Insights/AlertRules/Activated/Action | 已啟動傳統計量警示 |
| Microsoft.Insights/AlertRules/Resolved/Action | 已解決傳統計量警示 |
| Microsoft.Insights/AlertRules/Throttled/Action | 傳統計量警示規則已節流 |
| Microsoft.Insights/AlertRules/Incidents/Read | 讀取傳統計量警示事件 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/deployments/delete | 刪除部署。 |
| Microsoft.Resources/deployments/cancel/action | 取消部署。 |
| Microsoft.Resources/deployments/validate/action | 驗證部署。 |
| Microsoft.Resources/deployments/whatIf/action | 預測範本部署變更。 |
| Microsoft.Resources/deployments/exportTemplate/action | 匯出部署的範本 |
| Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
| Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/read | 取得或列出部署。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read | 取得或列出部署作業。 |
| Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/subscriptions/operationresults/read | 取得訂用帳戶作業結果。 |
| Microsoft.HybridCompute/machines/read | 讀取任何 Azure Arc 機器 |
| Microsoft.HybridCompute/machines/write | 寫入 Azure Arc 機器 |
| Microsoft.HybridCompute/machines/delete | 刪除 Azure Arc 機器 |
| Microsoft.HybridCompute/machines/UpgradeExtensions/action | 升級 Azure Arc 機器上的擴充功能 |
| Microsoft.HybridCompute/machines/assessPatches/action | 評估任何 Azure Arc 機器以取得遺漏的軟體修補程式 |
| Microsoft.HybridCompute/machines/installPatches/action | 在任何 Azure Arc 計算機上安裝修補程式 |
| Microsoft.HybridCompute/machines/extensions/read | 讀取任何 Azure Arc 延伸模組 |
| Microsoft.HybridCompute/machines/extensions/write | 安裝或更新 Azure Arc 擴充功能 |
| Microsoft.HybridCompute/machines/extensions/delete | 刪除 Azure Arc 擴充功能 |
| Microsoft.HybridCompute/operations/read | 讀取適用於伺服器的 Azure Arc 的所有作業 |
| Microsoft.HybridCompute/locations/operationresults/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.HybridCompute/locations/operationstatus/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.HybridCompute/machines/patchAssessmentResults/read | 讀取任何 Azure Arc patchAssessmentResults |
| Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read | 讀取任何 Azure Arc patchAssessmentResults/softwarePatches |
| Microsoft.HybridCompute/machines/patchInstallationResults/read | 讀取任何 Azure Arc patchInstallationResults |
| Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read | 讀取任何 Azure Arc patchInstallationResults/softwarePatches |
| Microsoft.HybridCompute/locations/updateCenterOperationResults/read | 讀取電腦上更新中心作業的狀態 |
| Microsoft.HybridCompute/machines/hybridIdentityMetadata/read | 讀取任何 Azure Arc 機器的混合式身分識別元數據 |
| Microsoft.HybridCompute/osType/agentVersions/read | 讀取所有可用的 Azure 連線機器代理程式版本 |
| Microsoft.HybridCompute/osType/agentVersions/latest/read | 閱讀最新的 Azure 連線機器代理程式版本 |
| Microsoft.HybridCompute/machines/runcommands/read | 讀取任何 Azure Arc Runcommands |
| Microsoft.HybridCompute/machines/runcommands/write | 安裝或更新 Azure Arc Runcommands |
| Microsoft.HybridCompute/machines/runcommands/delete | 刪除 Azure Arc Runcommands |
| Microsoft.HybridCompute/machines/licenseProfiles/read | 讀取任何 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/machines/licenseProfiles/write | 安裝或更新 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/machines/licenseProfiles/delete | 刪除 Azure Arc licenseProfiles |
| Microsoft.HybridCompute/licenses/read | 讀取任何 Azure Arc 授權 |
| Microsoft.HybridCompute/licenses/write | 安裝或更新 Azure Arc 授權 |
| Microsoft.HybridCompute/licenses/delete | 刪除 Azure Arc 授權 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Arc VMware VM Contributor has permissions to perform all VM actions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b748a06d-6150-4f8a-aaa9-ce3940cd96cb",
"name": "b748a06d-6150-4f8a-aaa9-ce3940cd96cb",
"permissions": [
{
"actions": [
"Microsoft.ConnectedVMwarevSphere/virtualmachines/*",
"Microsoft.ConnectedVMwarevSphere/virtualmachineinstances/*",
"Microsoft.Insights/AlertRules/Write",
"Microsoft.Insights/AlertRules/Delete",
"Microsoft.Insights/AlertRules/Read",
"Microsoft.Insights/AlertRules/Activated/Action",
"Microsoft.Insights/AlertRules/Resolved/Action",
"Microsoft.Insights/AlertRules/Throttled/Action",
"Microsoft.Insights/AlertRules/Incidents/Read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/cancel/action",
"Microsoft.Resources/deployments/validate/action",
"Microsoft.Resources/deployments/whatIf/action",
"Microsoft.Resources/deployments/exportTemplate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/machines/write",
"Microsoft.HybridCompute/machines/delete",
"Microsoft.HybridCompute/machines/UpgradeExtensions/action",
"Microsoft.HybridCompute/machines/assessPatches/action",
"Microsoft.HybridCompute/machines/installPatches/action",
"Microsoft.HybridCompute/machines/extensions/read",
"Microsoft.HybridCompute/machines/extensions/write",
"Microsoft.HybridCompute/machines/extensions/delete",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/read",
"Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/read",
"Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
"Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
"Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
"Microsoft.HybridCompute/osType/agentVersions/read",
"Microsoft.HybridCompute/osType/agentVersions/latest/read",
"Microsoft.HybridCompute/machines/runcommands/read",
"Microsoft.HybridCompute/machines/runcommands/write",
"Microsoft.HybridCompute/machines/runcommands/delete",
"Microsoft.HybridCompute/machines/licenseProfiles/read",
"Microsoft.HybridCompute/machines/licenseProfiles/write",
"Microsoft.HybridCompute/machines/licenseProfiles/delete",
"Microsoft.HybridCompute/licenses/read",
"Microsoft.HybridCompute/licenses/write",
"Microsoft.HybridCompute/licenses/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Arc VMware VM Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
傳統虛擬機器參與者
可讓您管理傳統虛擬機器,但無法加以存取它們,以及其所連結至的虛擬網路或儲存體帳戶。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.ClassicCompute/domainNames/* | 建立和管理傳統計算功能變數名稱 |
| Microsoft.ClassicCompute/virtualMachines/* | 建立和管理虛擬機器 |
| Microsoft.ClassicNetwork/networkSecurityGroups/join/action | |
| Microsoft.ClassicNetwork/reservedIps/link/action | 連結保留的Ip |
| Microsoft.ClassicNetwork/reservedIps/read | 取得保留的 Ips |
| Microsoft.ClassicNetwork/virtualNetworks/join/action | 加入虛擬網路。 |
| Microsoft.ClassicNetwork/virtualNetworks/read | 取得虛擬網路。 |
| Microsoft.ClassicStorage/storageAccounts/disks/read | 傳回記憶體帳戶磁碟。 |
| Microsoft.ClassicStorage/storageAccounts/images/read | 傳回記憶體帳戶映像。 (已被取代。使用 'Microsoft.ClassicStorage/storageAccounts/vmImages') |
| Microsoft.ClassicStorage/storageAccounts/listKeys/action | 列出記憶體帳戶的存取金鑰。 |
| Microsoft.ClassicStorage/storageAccounts/read | 傳回具有指定帳戶的記憶體帳戶。 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"name": "d73bb868-a0df-4d4d-bd69-98a00b01fccb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicCompute/domainNames/*",
"Microsoft.ClassicCompute/virtualMachines/*",
"Microsoft.ClassicNetwork/networkSecurityGroups/join/action",
"Microsoft.ClassicNetwork/reservedIps/link/action",
"Microsoft.ClassicNetwork/reservedIps/read",
"Microsoft.ClassicNetwork/virtualNetworks/join/action",
"Microsoft.ClassicNetwork/virtualNetworks/read",
"Microsoft.ClassicStorage/storageAccounts/disks/read",
"Microsoft.ClassicStorage/storageAccounts/images/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Classic Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
計算資源庫成品發行者
這是發佈資源庫成品的角色。
| 動作 | 描述 |
|---|---|
| Microsoft.Compute/galleries/* | |
| Microsoft.Compute/locations/capsOperations/read | 取得異步 Caps 作業的狀態 |
| Microsoft.Compute/locations/communityGalleries/* | |
| Microsoft.Compute/locations/sharedGalleries/* | |
| Microsoft.Compute/images/* | |
| Microsoft.Compute/virtualMachines/write | 建立新的虛擬機或更新現有的虛擬機 |
| Microsoft.Compute/disks/write | 建立新的磁碟或更新現有的磁碟 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| Microsoft.Compute/galleries/share/action | 將資源庫提供給不同的範圍 |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This is the role for publishing gallery artifacts.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
"name": "85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/*",
"Microsoft.Compute/locations/capsOperations/read",
"Microsoft.Compute/locations/communityGalleries/*",
"Microsoft.Compute/locations/sharedGalleries/*",
"Microsoft.Compute/images/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/disks/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.Compute/galleries/share/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Artifacts Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
計算資源庫共用管理員
此角色可讓使用者將資源庫共用至另一個訂用帳戶/租使用者,或將其共用給公用。
| 動作 | 描述 |
|---|---|
| Microsoft.Compute/galleries/share/action | 將資源庫提供給不同的範圍 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role allows user to share gallery to another subscription/tenant or share it to the public.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b",
"name": "1ef6a3be-d0ac-425d-8c01-acb62866290b",
"permissions": [
{
"actions": [
"Microsoft.Compute/galleries/share/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Compute Gallery Sharing Admin",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
受控磁碟的資料操作員
提供許可權,以使用SAS URI和 Azure AD 驗證將數據上傳至空的受控磁碟、讀取或匯出受控磁碟(未連結至執行中的 VM)和快照集。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/disks/download/action | 在磁碟 SAS URI 上執行讀取資料作業 |
| Microsoft.Compute/disks/upload/action | 在磁碟 SAS URI 上執行寫入資料作業 |
| Microsoft.Compute/snapshots/download/action | 在快照集 SAS URI 上執行讀取數據作業 |
| Microsoft.Compute/snapshots/upload/action | 在快照集 SAS URI 上執行寫入數據作業 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/959f8984-c045-4866-89c7-12bf9737be2e",
"name": "959f8984-c045-4866-89c7-12bf9737be2e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.Compute/disks/download/action",
"Microsoft.Compute/disks/upload/action",
"Microsoft.Compute/snapshots/download/action",
"Microsoft.Compute/snapshots/upload/action"
],
"notDataActions": []
}
],
"roleName": "Data Operator for Managed Disks",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化應用程式群組參與者
桌面虛擬化應用程式群組的參與者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/applicationgroups/* | |
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 讀取 hostpools/sessionhosts |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Application Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/86240b0e-9422-4c43-887b-b61143f32ba8",
"name": "86240b0e-9422-4c43-887b-b61143f32ba8",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化應用程式群組讀者
桌面虛擬化應用程式群組的讀取者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/applicationgroups/*/read | |
| Microsoft.DesktopVirtualization/applicationgroups/read | 讀取應用程式群組 |
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 讀取 hostpools/sessionhosts |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/read | 讀取傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Application Group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
"name": "aebf23d0-b568-4e86-b8f9-fe83a2c6ab55",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/applicationgroups/*/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Application Group Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化參與者
桌面虛擬化的參與者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Contributor of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/082f0a83-3be5-4ba1-904c-961cca79b387",
"name": "082f0a83-3be5-4ba1-904c-961cca79b387",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化主機集區參與者
桌面虛擬化主機集區的參與者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e307426c-f9b6-4e81-87de-d99efb3c32bc",
"name": "e307426c-f9b6-4e81-87de-d99efb3c32bc",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化主機集區讀者
桌面虛擬化主機集區的讀取者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/*/read | |
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/read | 讀取傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Host Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ceadfde2-b300-400a-ab7b-6143895aa822",
"name": "ceadfde2-b300-400a-ab7b-6143895aa822",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/*/read",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Host Pool Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化啟動參與者
提供 Azure 虛擬桌面資源提供者啟動虛擬機的許可權。
| 動作 | 描述 |
|---|---|
| Microsoft.Compute/virtualMachines/start/action | 啟動虛擬機器 |
| Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
| Microsoft.Compute/virtualMachines/instanceView/read | 取得虛擬機及其資源的詳細運行時間狀態 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.HybridCompute/machines/read | 讀取任何 Azure Arc 機器 |
| Microsoft.HybridCompute/operations/read | 讀取適用於伺服器的 Azure Arc 的所有作業 |
| Microsoft.HybridCompute/locations/operationresults/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.HybridCompute/locations/operationstatus/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.AzureStackHCI/virtualMachineInstances/read | 取得/列出虛擬機實例資源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/start/action | 啟動虛擬機實例資源 |
| Microsoft.AzureStackHCI/operations/read | 取得作業 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource Provider to start virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/489581de-a3bd-480d-9518-53dea7416b33",
"name": "489581de-a3bd-480d-9518-53dea7416b33",
"permissions": [
{
"actions": [
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/operations/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化啟動/關閉參與者
提供 Azure 虛擬桌面資源提供者的許可權,以啟動和停止虛擬機。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.AzureStackHCI/operations/read | 取得作業 |
| Microsoft.AzureStackHCI/virtualMachineInstances/read | 取得/列出虛擬機實例資源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/restart/action | 重新啟動虛擬機實例資源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/start/action | 啟動虛擬機實例資源 |
| Microsoft.AzureStackHCI/virtualMachineInstances/stop/action | 停止虛擬機實例資源 |
| Microsoft.Compute/virtualMachines/deallocate/action | 關閉虛擬機並釋放計算資源 |
| Microsoft.Compute/virtualMachines/instanceView/read | 取得虛擬機及其資源的詳細運行時間狀態 |
| Microsoft.Compute/virtualMachines/powerOff/action | 關閉虛擬機。 請注意,虛擬機將繼續計費。 |
| Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
| Microsoft.Compute/virtualMachines/restart/action | 重新啟動虛擬機 |
| Microsoft.Compute/virtualMachines/start/action | 啟動虛擬機器 |
| Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action | virtualMachinesCancelOperations:虛擬機的 cancelOperations |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action | virtualMachinesExecuteDeallocate:執行虛擬機的 executeDeallocate |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action | virtualMachinesExecuteHibernate:虛擬機的 executeHibernate |
| Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action | virtualMachinesExecuteStart:虛擬機的 executeStart |
| Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action | |
| Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action | virtualMachinesGetOperationStatus:虛擬機的 getOperationStatus |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action | virtualMachinesSubmitDeallocate:提交虛擬機的 submitDeallocate |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action | virtualMachinesSubmitHibernate:提交虛擬機的 submitHibernate |
| Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action | virtualMachinesSubmitStart:提交虛擬機的Start |
| Microsoft.ComputeSchedule/register/action | 註冊 Microsoft.ComputeSchedule 的訂用帳戶 |
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 讀取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete | 刪除 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read | 讀取 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | 將訊息傳送至用戶會話 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/write | 寫入 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/write | 寫入主機集區 |
| Microsoft.HybridCompute/locations/operationresults/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.HybridCompute/locations/operationstatus/read | 讀取 Microsoft.HybridCompute 資源提供者上的作業狀態 |
| Microsoft.HybridCompute/machines/read | 讀取任何 Azure Arc 機器 |
| Microsoft.HybridCompute/operations/read | 讀取適用於伺服器的 Azure Arc 的所有作業 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Insights/eventtypes/values/read | 讀取活動記錄事件 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provide permission to the Azure Virtual Desktop Resource Provider to start and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/40c5ff49-9181-41f8-ae61-143b0e78555e",
"name": "40c5ff49-9181-41f8-ae61-143b0e78555e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.AzureStackHCI/operations/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/read",
"Microsoft.AzureStackHCI/virtualMachineInstances/restart/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/start/action",
"Microsoft.AzureStackHCI/virtualMachineInstances/stop/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesCancelOperations/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteDeallocate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteHibernate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesExecuteStart/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationErrors/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesGetOperationStatus/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitDeallocate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitHibernate/action",
"Microsoft.ComputeSchedule/locations/virtualMachinesSubmitStart/action",
"Microsoft.ComputeSchedule/register/action",
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.HybridCompute/locations/operationresults/read",
"Microsoft.HybridCompute/locations/operationstatus/read",
"Microsoft.HybridCompute/machines/read",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/eventtypes/values/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Power On Off Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化讀者
桌面虛擬化的讀取者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/*/read | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/read | 讀取傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Reader of Desktop Virtualization.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/49a72310-ab8d-41df-bbb0-79b649203868",
"name": "49a72310-ab8d-41df-bbb0-79b649203868",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化工作階段主機操作者
桌面虛擬化工作階段主機的操作員。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Session Host.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2ad6aaab-ead9-4eaa-8ac5-da422f562408",
"name": "2ad6aaab-ead9-4eaa-8ac5-da422f562408",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Session Host Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化使用者
允許使用者在應用程式群組中使用應用程式。
| 動作 | 描述 |
|---|---|
| none | |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.DesktopVirtualization/applicationGroups/useApplications/action | 使用 ApplicationGroup |
| Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action | 允許應用程式群組中應用程式附加套件的用戶許可權 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Allows user to use the applications in an application group.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"name": "1d18fff3-a72a-46b5-b4a9-0b38a3cd7e63",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DesktopVirtualization/applicationGroups/useApplications/action",
"Microsoft.DesktopVirtualization/appAttachPackages/useApplications/action"
],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化使用者工作階段操作者
桌面虛擬化使用者工作階段的操作員。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 讀取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/* | |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Operator of the Desktop Virtualization Uesr Session.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
"name": "ea4bfff8-7fb4-485a-aadd-d4129a0ffaa6",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization User Session Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化虛擬機器參與者
此角色處於預覽狀態,且可能會變更。 提供 Azure 虛擬桌面資源提供者的許可權,以建立、刪除、更新、啟動和停止虛擬機。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/hostpools/read | 讀取主機集區 |
| Microsoft.DesktopVirtualization/hostpools/write | 寫入主機集區 |
| Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action | 列出主機集區的註冊令牌 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/read | 讀取 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/write | 寫入 hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete | 刪除hostpools/sessionhosts |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read | 讀取 hostpools/sessionhosts/usersessions |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action | 中斷用戶會話窗體會話主機的連線 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action | 將訊息傳送至用戶會話 |
| Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read | 讀取 hostpools/sessionhostconfigurations |
| Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action | 客戶不打算呼叫的內部作業。 這會在未來版本中移除。 不要使用它。 |
| Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action | 重試布建的動作。 |
| Microsoft.Compute/availabilitySets/read | 取得可用性設定組的屬性 |
| Microsoft.Compute/availabilitySets/write | 建立新的可用性設定組或更新現有的可用性設定組 |
| Microsoft.Compute/availabilitySets/vmSizes/read | 列出可用性設定組中建立或更新虛擬機的可用大小 |
| Microsoft.Compute/disks/read | 取得磁碟的屬性 |
| Microsoft.Compute/disks/write | 建立新的磁碟或更新現有的磁碟 |
| Microsoft.Compute/disks/delete | 刪除磁碟 |
| Microsoft.Compute/galleries/read | 取得資源庫的屬性 |
| Microsoft.Compute/galleries/images/read | 取得資源庫映像的屬性 |
| Microsoft.Compute/galleries/images/versions/read | 取得資源庫映像版本的屬性 |
| Microsoft.Compute/images/read | 取得 Image 的屬性 |
| Microsoft.Compute/locations/usages/read | 取得訂用帳戶計算資源在位置中的服務限制和目前使用量數量 |
| Microsoft.Compute/locations/vmSizes/read | 列出位置中可用的虛擬機大小 |
| Microsoft.Compute/operations/read | 列出 Microsoft.Compute 資源提供者上可用的作業 |
| Microsoft.Compute/skus/read | 取得訂用帳戶可用的 Microsoft.Compute SKU 清單 |
| Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
| Microsoft.Compute/virtualMachines/write | 建立新的虛擬機或更新現有的虛擬機 |
| Microsoft.Compute/virtualMachines/delete | 刪除虛擬機 |
| Microsoft.Compute/virtualMachines/start/action | 啟動虛擬機器 |
| Microsoft.Compute/virtualMachines/powerOff/action | 關閉虛擬機。 請注意,虛擬機將繼續計費。 |
| Microsoft.Compute/virtualMachines/restart/action | 重新啟動虛擬機 |
| Microsoft.Compute/virtualMachines/deallocate/action | 關閉虛擬機並釋放計算資源 |
| Microsoft.Compute/virtualMachines/runCommand/action | 在虛擬機上執行預先定義的腳本 |
| Microsoft.Compute/virtualMachines/extensions/read | 取得虛擬機擴充功能的屬性 |
| Microsoft.Compute/virtualMachines/extensions/write | 建立新的虛擬機擴充功能或更新現有的虛擬機擴充功能 |
| Microsoft.Compute/virtualMachines/extensions/delete | 刪除虛擬機擴充功能 |
| Microsoft.Compute/virtualMachines/runCommands/read | 取得虛擬機執行命令的屬性 |
| Microsoft.Compute/virtualMachines/runCommands/write | 建立新的虛擬機執行命令或更新現有的虛擬機 |
| Microsoft.Compute/virtualMachines/vmSizes/read | 列出虛擬機可更新為的可用大小 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Network/networkInterfaces/write | 建立網路介面或更新現有的網路介面。 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Network/networkInterfaces/join/action | 將虛擬機加入網路介面。 不可警示。 |
| Microsoft.Network/networkInterfaces/delete | 刪除網路介面 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
| Microsoft.Network/virtualNetworks/usages/read | 取得虛擬網路每個子網的IP使用量 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read | 傳回合約。 |
| Microsoft.KeyVault/vaults/deploy/action | 在部署 Azure 資源時,啟用金鑰保存庫中秘密的存取 |
| Microsoft.Storage/storageAccounts/read | 傳回儲存體帳戶的清單,或取得指定之儲存體帳戶的屬性。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.DesktopVirtualization/scalingPlans/read | 讀取調整計劃 |
| Microsoft.DesktopVirtualization/scalingPlans/write | 撰寫調整計劃 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role is in preview and subject to change. Provide permission to the Azure Virtual Desktop Resource Provider to create, delete, update, start, and stop virtual machines.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"name": "a959dbd1-f747-45e3-8ba6-dd80f235f97c",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/hostpools/read",
"Microsoft.DesktopVirtualization/hostpools/write",
"Microsoft.DesktopVirtualization/hostpools/retrieveRegistrationToken/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/write",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/delete",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/read",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/disconnect/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/usersessions/sendMessage/action",
"Microsoft.DesktopVirtualization/hostpools/sessionHostConfigurations/read",
"Microsoft.DesktopVirtualization/hostpools/doNotUseInternalAPI/action",
"Microsoft.DesktopVirtualization/hostpools/sessionhosts/retryprovisioning/action",
"Microsoft.Compute/availabilitySets/read",
"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/availabilitySets/vmSizes/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/galleries/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/galleries/images/versions/read",
"Microsoft.Compute/images/read",
"Microsoft.Compute/locations/usages/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/operations/read",
"Microsoft.Compute/skus/read",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/runCommand/action",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/runCommands/write",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Marketplace/offerTypes/publishers/offers/plans/agreements/read",
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.DesktopVirtualization/scalingPlans/read",
"Microsoft.DesktopVirtualization/scalingPlans/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化工作區參與者
桌面虛擬化工作區的參與者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/workspaces/* | |
| Microsoft.DesktopVirtualization/applicationgroups/read | 讀取應用程式群組 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Contributor of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/21efdde3-836f-432b-bf3d-3e8e734d4b2b",
"name": "21efdde3-836f-432b-bf3d-3e8e734d4b2b",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/*",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
桌面虛擬化工作區讀者
桌面虛擬化工作區的讀取者。
| 動作 | 描述 |
|---|---|
| Microsoft.DesktopVirtualization/workspaces/read | 讀取工作區 |
| Microsoft.DesktopVirtualization/applicationgroups/read | 讀取應用程式群組 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/read | 讀取傳統計量警示 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Reader of the Desktop Virtualization Workspace.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
"name": "0fa44ee9-7a7d-466b-9bb2-2bf446b1204d",
"permissions": [
{
"actions": [
"Microsoft.DesktopVirtualization/workspaces/read",
"Microsoft.DesktopVirtualization/applicationgroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Desktop Virtualization Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁碟備份讀取器
提供備份保存庫執行磁碟備份的權限。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Compute/disks/read | 取得磁碟的屬性 |
| Microsoft.Compute/disks/beginGetAccess/action | 取得磁碟的SAS URI 以進行 Blob 存取 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"name": "3e5e47e6-65f7-47ef-90b5-e5dd4d455f24",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/beginGetAccess/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Backup Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁碟集區操作員
提供 StoragePool 資源提供者權限,以管理新增至磁碟集區的磁碟。
| 動作 | 描述 |
|---|---|
| Microsoft.Compute/disks/write | 建立新的磁碟或更新現有的磁碟 |
| Microsoft.Compute/disks/read | 取得磁碟的屬性 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Used by the StoragePool Resource Provider to manage Disks added to a Disk Pool.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/60fc6e62-5479-42d4-8bf4-67625fcc2840",
"name": "60fc6e62-5479-42d4-8bf4-67625fcc2840",
"permissions": [
{
"actions": [
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Pool Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁碟還原運算子
提供備份保存庫執行磁碟還原的權限。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Compute/disks/write | 建立新的磁碟或更新現有的磁碟 |
| Microsoft.Compute/disks/read | 取得磁碟的屬性 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to perform disk restore.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b50d9833-a0cb-478e-945f-707fcc997c13",
"name": "b50d9833-a0cb-478e-945f-707fcc997c13",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Restore Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
磁碟快照參與者
提供備份保存庫管理磁碟快照集的權限。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Compute/snapshots/delete | 刪除快照集 |
| Microsoft.Compute/snapshots/write | 建立新的快照集或更新現有的快照集 |
| Microsoft.Compute/snapshots/read | 取得快照集的屬性 |
| Microsoft.Compute/snapshots/beginGetAccess/action | 取得 Blob 存取之快照集的 SAS URI |
| Microsoft.Compute/snapshots/endGetAccess/action | 撤銷快照集的SAS URI |
| Microsoft.Compute/disks/beginGetAccess/action | 取得磁碟的SAS URI 以進行 Blob 存取 |
| Microsoft.Storage/storageAccounts/listkeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
| Microsoft.Storage/storageAccounts/write | 使用指定參數來建立儲存體帳戶、更新指定儲存體帳戶的屬性或標記,或新增指定儲存體帳戶的自訂網域。 |
| Microsoft.Storage/storageAccounts/read | 傳回儲存體帳戶的清單,或取得指定之儲存體帳戶的屬性。 |
| Microsoft.Storage/storageAccounts/delete | 刪除現有的記憶體帳戶。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Provides permission to backup vault to manage disk snapshots.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7efff54f-a5b4-42b5-a1c5-5411624893ce",
"name": "7efff54f-a5b4-42b5-a1c5-5411624893ce",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Disk Snapshot Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器系統管理員登入
在入口網站中檢視虛擬機器,並以系統管理員身分登入
| 動作 | 描述 |
|---|---|
| Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出資源的端點存取認證。 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | 以一般使用者身分登入虛擬機 |
| Microsoft.Compute/virtualMachines/loginAsAdmin/action | 使用 Windows 系統管理員或 Linux 根使用者許可權登入虛擬機 |
| Microsoft.HybridCompute/machines/login/action | 以一般使用者身分登入 Azure Arc 機器 |
| Microsoft.HybridCompute/machines/loginAsAdmin/action | 使用 Windows 系統管理員或 Linux 根使用者許可權登入 Azure Arc 計算機 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as administrator",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1c0163c0-47e6-4577-8991-ea5c82e286e4",
"name": "1c0163c0-47e6-4577-8991-ea5c82e286e4",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.Compute/virtualMachines/loginAsAdmin/action",
"Microsoft.HybridCompute/machines/login/action",
"Microsoft.HybridCompute/machines/loginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器參與者
建立和管理虛擬機器、管理磁碟、安裝和執行軟體、使用 VM 擴充功能重設虛擬機器根使用者的密碼,以及使用 VM 擴充功能管理本機使用者帳戶。 此角色不會授與您機器所連結至的虛擬網路或儲存體帳戶的管理存取權。 此角色不允許您在 Azure RBAC 中指派角色。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Compute/availabilitySets/* | 建立和管理計算可用性設定組 |
| Microsoft.Compute/locations/* | 建立和管理計算位置 |
| Microsoft.Compute/virtualMachines/* | 執行所有虛擬機動作,包括建立、更新、刪除、啟動、重新啟動和關閉虛擬機。 在虛擬機上執行腳本。 |
| Microsoft.Compute/virtualMachineScaleSets/* | 建立和管理虛擬機器擴展集 |
| Microsoft.Compute/cloudServices/* | |
| Microsoft.Compute/disks/write | 建立新的磁碟或更新現有的磁碟 |
| Microsoft.Compute/disks/read | 取得磁碟的屬性 |
| Microsoft.Compute/disks/delete | 刪除磁碟 |
| Microsoft.DevTestLab/schedules/* | |
| Microsoft.Insights/alertRules/* | 建立和管理傳統計量警示 |
| Microsoft.Network/applicationGateways/backendAddressPools/join/action | 加入應用程式閘道後端位址池。 不可警示。 |
| Microsoft.Network/loadBalancers/backendAddressPools/join/action | 加入負載平衡器後端位址池。 不可警示。 |
| Microsoft.Network/loadBalancers/inboundNatPools/join/action | 聯結負載平衡器輸入 NAT 集區。 不可警示。 |
| Microsoft.Network/loadBalancers/inboundNatRules/join/action | 聯結負載平衡器輸入 nat 規則。 不可警示。 |
| Microsoft.Network/loadBalancers/probes/join/action | 允許使用負載平衡器的探查。 例如,使用 VM 擴展集的這個許可權 healthProbe 屬性可以參考探查。 不可警示。 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/locations/* | 建立和管理網路位置 |
| Microsoft.Network/networkInterfaces/* | 建立和管理網路介面 |
| Microsoft.Network/networkSecurityGroups/join/action | 加入網路安全性群組。 不可警示。 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Network/publicIPAddresses/join/action | 加入公用IP位址。 不可警示。 |
| Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
| Microsoft.RecoveryServices/locations/* | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write | 建立備份保護意圖 |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read | |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read | 傳回受保護項目的物件詳細數據 |
| Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write | 建立備份受保護的專案 |
| Microsoft.RecoveryServices/Vaults/backupPolicies/read | 傳回所有保護原則 |
| Microsoft.RecoveryServices/Vaults/backupPolicies/write | 建立保護原則 |
| Microsoft.RecoveryServices/Vaults/read | Get Vault 作業會取得代表 『vault』 類型的 Azure 資源的物件 |
| Microsoft.RecoveryServices/Vaults/usages/read | 傳回復原服務保存庫的使用詳細數據。 |
| Microsoft.RecoveryServices/Vaults/write | 建立保存庫作業會建立類型為 『vault』 的 Azure 資源 |
| Microsoft.ResourceHealth/availabilityStatuses/read | 取得指定範圍中所有資源的可用性狀態 |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.SerialConsole/serialPorts/connect/action | 線上到序列埠 |
| Microsoft.SqlVirtualMachine/* | |
| Microsoft.Storage/storageAccounts/listKeys/action | 傳回指定儲存體帳戶的存取金鑰。 |
| Microsoft.Storage/storageAccounts/read | 傳回儲存體帳戶的清單,或取得指定之儲存體帳戶的屬性。 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"name": "9980e02c-c2be-4d73-94e8-173b1dc7cf3c",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Compute/availabilitySets/*",
"Microsoft.Compute/locations/*",
"Microsoft.Compute/virtualMachines/*",
"Microsoft.Compute/virtualMachineScaleSets/*",
"Microsoft.Compute/cloudServices/*",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.DevTestLab/schedules/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/applicationGateways/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatPools/join/action",
"Microsoft.Network/loadBalancers/inboundNatRules/join/action",
"Microsoft.Network/loadBalancers/probes/join/action",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/locations/*",
"Microsoft.Network/networkInterfaces/*",
"Microsoft.Network/networkSecurityGroups/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.RecoveryServices/locations/*",
"Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read",
"Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write",
"Microsoft.RecoveryServices/Vaults/backupPolicies/read",
"Microsoft.RecoveryServices/Vaults/backupPolicies/write",
"Microsoft.RecoveryServices/Vaults/read",
"Microsoft.RecoveryServices/Vaults/usages/read",
"Microsoft.RecoveryServices/Vaults/write",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.SerialConsole/serialPorts/connect/action",
"Microsoft.SqlVirtualMachine/*",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器資料存取權系統管理員 (預覽)
新增或移除虛擬機器系統管理員登入和虛擬機器使用者登入角色的角色指派,以管理虛擬機器的存取權。 包含用來限制角色指派的 ABAC 條件。
| 動作 | 描述 |
|---|---|
| Microsoft.Authorization/roleAssignments/write | 建立指定範圍的角色指派。 |
| Microsoft.Authorization/roleAssignments/delete | 刪除指定範圍內的角色指派。 |
| Microsoft.Authorization/*/read | 讀取角色和角色指派 |
| Microsoft.Resources/subscriptions/resourceGroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/subscriptions/read | 取得訂用帳戶的清單。 |
| Microsoft.Management/managementGroups/read | 列出已驗證使用者的管理群組。 |
| Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.Resources/deployments/* | 建立和管理部署 |
| Microsoft.Support/* | 建立和更新支援票證 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none | |
| Condition | |
| ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'}))OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND (!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) | 新增或移除下列角色的角色指派: 虛擬機器系統管理員登入 虛擬機器使用者登入 |
{
"assignableScopes": [
"/"
],
"description": "Manage access to Virtual Machines by adding or removing role assignments for the Virtual Machine Administrator Login and Virtual Machine User Login roles. Includes an ABAC condition to constrain role assignments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"name": "66f75aeb-eabe-4b70-9f1e-c350c4c9ad04",
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Management/managementGroups/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": [],
"conditionVersion": "2.0",
"condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{1c0163c0-47e6-4577-8991-ea5c82e286e4, fb879df8-f326-4884-b1cf-06f3ad86be52}))"
}
],
"roleName": "Virtual Machine Data Access Administrator (preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器本機使用者登入
在入口網站中檢視虛擬機器,並以 Arc 伺服器上設定的本機使用者身分登入
| 動作 | 描述 |
|---|---|
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出資源的端點存取認證。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a local user configured on the arc server",
"id": "/providers/Microsoft.Authorization/roleDefinitions/602da2ba-a5c2-41da-b01d-5360126ab525",
"name": "602da2ba-a5c2-41da-b01d-5360126ab525",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Virtual Machine Local User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
虛擬機器使用者登入
在入口網站中檢視虛擬機器,並以一般使用者身分登入。
| 動作 | 描述 |
|---|---|
| Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Compute/virtualMachines/*/read | |
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridConnectivity/endpoints/listCredentials/action | 列出資源的端點存取認證。 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.Compute/virtualMachines/login/action | 以一般使用者身分登入虛擬機 |
| Microsoft.HybridCompute/machines/login/action | 以一般使用者身分登入 Azure Arc 機器 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "View Virtual Machines in the portal and login as a regular user.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fb879df8-f326-4884-b1cf-06f3ad86be52",
"name": "fb879df8-f326-4884-b1cf-06f3ad86be52",
"permissions": [
{
"actions": [
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachines/*/read",
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridConnectivity/endpoints/listCredentials/action"
],
"notActions": [],
"dataActions": [
"Microsoft.Compute/virtualMachines/login/action",
"Microsoft.HybridCompute/machines/login/action"
],
"notDataActions": []
}
],
"roleName": "Virtual Machine User Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows 365 網路介面參與者
Windows 365 會使用此角色來布建所需的網路資源,並將Microsoft裝載的 VM 加入網路介面。
| 動作 | 描述 |
|---|---|
| Microsoft.Resources/subscriptions/resourcegroups/read | 取得或列出資源群組。 |
| Microsoft.Resources/deployments/read | 取得或列出部署。 |
| Microsoft.Resources/deployments/write | 建立或更新部署。 |
| Microsoft.Resources/deployments/delete | 刪除部署。 |
| Microsoft.Resources/deployments/operations/read | 取得或列出部署作業。 |
| Microsoft.Resources/deployments/operationstatuses/read | 取得或列出部署作業狀態。 |
| Microsoft.Network/locations/operations/read | 取得表示異步操作狀態的作業資源 |
| Microsoft.Network/locations/operationResults/read | 取得異步 POST 或 DELETE 作業的作業結果 |
| Microsoft.Network/locations/usages/read | 取得資源使用計量 |
| Microsoft.Network/networkInterfaces/write | 建立網路介面或更新現有的網路介面。 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Network/networkInterfaces/delete | 刪除網路介面 |
| Microsoft.Network/networkInterfaces/join/action | 將虛擬機加入網路介面。 不可警示。 |
| Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action | 取得在 VM 網路介面上設定的網路安全組 |
| Microsoft.Network/networkInterfaces/effectiveRouteTable/action | 取得 Vm 網路介面上設定的路由表 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to provision required network resources and join Microsoft-hosted VMs to network interfaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1f135831-5bbe-4924-9016-264044c00788",
"name": "1f135831-5bbe-4924-9016-264044c00788",
"permissions": [
{
"actions": [
"Microsoft.Resources/subscriptions/resourcegroups/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/deployments/delete",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/operationstatuses/read",
"Microsoft.Network/locations/operations/read",
"Microsoft.Network/locations/operationResults/read",
"Microsoft.Network/locations/usages/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkInterfaces/join/action",
"Microsoft.Network/networkInterfaces/effectiveNetworkSecurityGroups/action",
"Microsoft.Network/networkInterfaces/effectiveRouteTable/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network Interface Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows 365 網路使用者
Windows 365 會使用此角色來讀取虛擬網路,並加入指定的虛擬網路。
| 動作 | 描述 |
|---|---|
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/virtualNetworks/subnets/read | 取得虛擬網路子網路定義 |
| Microsoft.Network/virtualNetworks/usages/read | 取得虛擬網路每個子網的IP使用量 |
| Microsoft.Network/virtualNetworks/subnets/join/action | 加入虛擬網路。 不可警示。 |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "This role is used by Windows 365 to read virtual networks and join the designated virtual networks.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/7eabc9a4-85f7-4f71-b8ab-75daaccc1033",
"name": "7eabc9a4-85f7-4f71-b8ab-75daaccc1033",
"permissions": [
{
"actions": [
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/usages/read",
"Microsoft.Network/virtualNetworks/subnets/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Windows 365 Network User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Windows Admin Center 系統管理員登入
讓我們以系統管理員身分透過 Windows Admin Center 管理資源的作業系統。
| 動作 | 描述 |
|---|---|
| Microsoft.HybridCompute/machines/*/read | |
| Microsoft.HybridCompute/machines/extensions/* | |
| Microsoft.HybridCompute/machines/upgradeExtensions/action | 升級 Azure Arc 機器上的擴充功能 |
| Microsoft.HybridCompute/operations/read | 讀取適用於伺服器的 Azure Arc 的所有作業 |
| Microsoft.Network/networkInterfaces/read | 取得網路介面定義。 |
| Microsoft.Network/loadBalancers/read | 取得負載平衡器定義 |
| Microsoft.Network/publicIPAddresses/read | 取得公用 IP 位址定義。 |
| Microsoft.Network/virtualNetworks/read | 取得虛擬網路定義 |
| Microsoft.Network/networkSecurityGroups/read | 取得網路安全組定義 |
| Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read | 取得預設安全性規則定義 |
| Microsoft.Network/networkWatchers/securityGroupView/action | 檢視 VM 上套用的已設定且有效的網路安全組規則。 |
| Microsoft.Network/networkSecurityGroups/securityRules/read | 取得安全性規則定義 |
| Microsoft.Network/networkSecurityGroups/securityRules/write | 建立安全性規則或更新現有的安全性規則 |
| Microsoft.HybridConnectivity/endpoints/write | 建立或更新目標資源的端點。 |
| Microsoft.HybridConnectivity/endpoints/read | 取得或列出目標資源的端點。 |
| Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write | 建立或更新 serviceConfigurations 至端點資源。 |
| Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read | 取得或列出端點資源的 serviceConfigurations。 |
| Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action | 列出資源的Managed Proxy詳細數據。 |
| Microsoft.Compute/virtualMachines/read | 取得虛擬機器的屬性 |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read | 擷取最新修補程式評估作業的摘要 |
| Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read | 擷取上次修補程式評估作業期間評估的修補程序清單 |
| Microsoft.Compute/virtualMachines/patchInstallationResults/read | 擷取最新修補程式安裝作業的摘要 |
| Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read | 擷取上次修補程式安裝作業期間嘗試安裝的修補程序清單 |
| Microsoft.Compute/virtualMachines/extensions/read | 取得虛擬機擴充功能的屬性 |
| Microsoft.Compute/virtualMachines/instanceView/read | 取得虛擬機及其資源的詳細運行時間狀態 |
| Microsoft.Compute/virtualMachines/runCommands/read | 取得虛擬機執行命令的屬性 |
| Microsoft.Compute/virtualMachines/vmSizes/read | 列出虛擬機可更新為的可用大小 |
| Microsoft.Compute/locations/publishers/artifacttypes/types/read | 取得 VMExtension 類型的屬性 |
| Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read | 取得 VMExtension 版本的屬性 |
| Microsoft.Compute/diskAccesses/read | 取得 DiskAccess 資源的屬性 |
| Microsoft.Compute/galleries/images/read | 取得資源庫映像的屬性 |
| Microsoft.Compute/images/read | 取得 Image 的屬性 |
| Microsoft.AzureStackHCI/Clusters/Read | 取得叢集 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Read | 取得 HCI 叢集的弧線資源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read | 取得 HCI 叢集的擴充資源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write | 建立或更新 HCI 叢集的擴充資源 |
| Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete | 刪除 HCI 叢集的擴充功能資源 |
| Microsoft.AzureStackHCI/Operations/Read | 取得作業 |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read | 讀取 virtualmachines |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write | 寫入擴充功能資源 |
| Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read | 取得延伸模組資源 |
| NotActions | |
| none | |
| DataActions | |
| Microsoft.HybridCompute/machines/WACLoginAsAdmin/action | 可讓您以系統管理員身分透過 Windows Admin Center 管理資源的 OS。 |
| Microsoft.Compute/virtualMachines/WACloginAsAdmin/action | 可讓您以系統管理員身分透過 Windows Admin Center 管理資源的 OS |
| Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action | 透過 Windows Admin Center 以系統管理員身分管理 HCI 資源的 OS |
| Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action | 可讓您以系統管理員身分透過 Windows Admin Center 管理資源的 OS。 |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Let's you manage the OS of your resource via Windows Admin Center as an administrator.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a6333a3e-0164-44c3-b281-7a577aff287f",
"name": "a6333a3e-0164-44c3-b281-7a577aff287f",
"permissions": [
{
"actions": [
"Microsoft.HybridCompute/machines/*/read",
"Microsoft.HybridCompute/machines/extensions/*",
"Microsoft.HybridCompute/machines/upgradeExtensions/action",
"Microsoft.HybridCompute/operations/read",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/defaultSecurityRules/read",
"Microsoft.Network/networkWatchers/securityGroupView/action",
"Microsoft.Network/networkSecurityGroups/securityRules/read",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.HybridConnectivity/endpoints/write",
"Microsoft.HybridConnectivity/endpoints/read",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/write",
"Microsoft.HybridConnectivity/endpoints/serviceConfigurations/read",
"Microsoft.HybridConnectivity/endpoints/listManagedProxyDetails/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/read",
"Microsoft.Compute/virtualMachines/patchAssessmentResults/latest/softwarePatches/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/read",
"Microsoft.Compute/virtualMachines/patchInstallationResults/softwarePatches/read",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/runCommands/read",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/read",
"Microsoft.Compute/locations/publishers/artifacttypes/types/versions/read",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/galleries/images/read",
"Microsoft.Compute/images/read",
"Microsoft.AzureStackHCI/Clusters/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Read",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Write",
"Microsoft.AzureStackHCI/Clusters/ArcSettings/Extensions/Delete",
"Microsoft.AzureStackHCI/Operations/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Read",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Write",
"Microsoft.ConnectedVMwarevSphere/VirtualMachines/Extensions/Read"
],
"notActions": [],
"dataActions": [
"Microsoft.HybridCompute/machines/WACLoginAsAdmin/action",
"Microsoft.Compute/virtualMachines/WACloginAsAdmin/action",
"Microsoft.AzureStackHCI/Clusters/WACloginAsAdmin/Action",
"Microsoft.ConnectedVMwarevSphere/virtualmachines/WACloginAsAdmin/action"
],
"notDataActions": []
}
],
"roleName": "Windows Admin Center Administrator Login",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}